ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Deploy Apps Using Winget with Microsoft Intune

How to Deploy Apps Using Winget with Microsoft Intune

Learn to leverage Windows Package Manager (winget) within Microsoft Intune to streamline enterprise software deployments, manage applications at scale, and automate updates across your organization.

Evan MaelEvan Mael
March 26, 2026 15 min
mediumintune 7 steps 15 min

Why Deploy Apps Using Winget with Microsoft Intune?

The integration of Windows Package Manager (winget) with Microsoft Intune represents a significant advancement in enterprise application deployment and management. This powerful combination allows IT administrators to leverage Microsoft's official package repository while maintaining the security, compliance, and scalability benefits of Intune's cloud-based management platform.

Traditional enterprise software deployment often involves complex packaging processes, manual updates, and inconsistent installation experiences across different applications. Winget changes this paradigm by providing a standardized, command-line approach to software installation that works consistently across thousands of applications. When combined with Intune's device management capabilities, organizations can achieve automated, scalable deployments that reduce administrative overhead while improving user experience.

What Makes This Integration Powerful for Enterprise IT?

The winget-Intune integration offers several key advantages over traditional deployment methods. First, it eliminates the need for custom packaging of many popular applications, as winget maintains an extensive repository of pre-configured packages with proper silent installation parameters. Second, it provides automatic update capabilities that can be centrally managed through Intune policies, ensuring applications stay current without manual intervention.

Additionally, this approach supports both direct integration through Intune's native winget selection feature and custom PowerShell scripting for advanced scenarios. This flexibility allows organizations to standardize on a single deployment methodology while accommodating diverse application requirements and deployment scenarios across their environment.

Implementation Guide

Full Procedure

01

Install Windows Package Manager on Target Devices

Before deploying applications via winget, ensure the Windows Package Manager is installed on your target devices. While winget comes pre-installed on newer Windows versions, many enterprise devices may need it deployed through Intune.

Navigate to the Microsoft Intune admin center at https://endpoint.microsoft.com and sign in with your administrator credentials.

Go to Apps > All apps > Add > Microsoft Store app (new). In the package identifier field, enter:

9NBLGGH4NNS1

This is the official package ID for Microsoft App Installer, which includes winget. Configure the app details:

  • Name: Microsoft App Installer
  • Description: Windows Package Manager for enterprise app deployment
  • Publisher: Microsoft Corporation
  • Category: Productivity

Under Assignments, click Add group and select All Devices. Set the assignment type to Required and ensure it deploys in device context.

Pro tip: Deploy to device context rather than user context to ensure winget is available system-wide for all users on the device.

Verification: After deployment, connect to a test device and run:

winget --version
Get-AppxPackage -Name "Microsoft.DesktopAppInstaller"

You should see the winget version number and the App Installer package details.

02

Configure Winget Repository Source in Intune

Configure the official Microsoft winget repository as a trusted source within Intune to enable direct app selection and deployment.

In the Intune admin center, navigate to Apps > App sources > Add > Windows Package Manager.

Configure the repository settings:

  • Name: Microsoft Store (winget)
  • Repository URL: https://cdn.winget.microsoft.com/cache
  • Enable automatic updates: Yes
  • Update frequency: Daily

Click Add to save the configuration. This establishes the connection to Microsoft's official winget repository, allowing Intune to pull the latest package information.

Warning: Ensure your firewall allows access to the winget CDN endpoint. Blocked access will prevent package discovery and downloads.

Verification: After adding the source, you should see it listed under App sources with a "Healthy" status. The sync process may take 15-30 minutes initially.

03

Deploy Applications Using Direct Winget Integration

Use Intune's native winget integration to deploy applications directly from the Windows Package Manager repository. This method provides the cleanest deployment experience with automatic update capabilities.

Navigate to Apps > All apps > Add > Windows app (Win32) > Select from Windows Package Manager.

Search for your desired application. For example, search for "Google Chrome" and select the appropriate package. Configure the application details:

  • Name: Google Chrome Enterprise
  • Publisher: Google LLC
  • Category: Productivity
  • Show in Company Portal: Yes
  • Information URL: https://www.google.com/chrome/

Under Program settings, the install and uninstall commands are automatically populated:

Install command: winget install --exact --id Google.Chrome --scope machine --silent
Uninstall command: winget uninstall --exact --id Google.Chrome --scope machine --silent

Configure Requirements:

  • Operating system architecture: x64
  • Minimum operating system: Windows 10 1709

Set up Detection rules using the registry method:

  • Rule type: Registry
  • Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
  • Detection method: Key exists

Verification: Create a test assignment to a small device group first. Monitor deployment status in Apps > Monitor > App install status.

04

Create PowerShell Script for Custom Winget Deployments

For applications not available through direct integration or when you need custom installation logic, create PowerShell scripts that leverage winget commands.

Create a new PowerShell script file named Install-NotepadPlusPlus.ps1:

# Install Notepad++ via winget
$AppID = "Notepad++.Notepad++"
$LogPath = "C:\Windows\Temp\WingetInstall.log"

# Check if winget is available
try {
    $WingetVersion = winget --version
    Write-Output "Winget version: $WingetVersion" | Out-File -FilePath $LogPath -Append
} catch {
    Write-Error "Winget not found. Ensure Microsoft App Installer is installed."
    exit 1
}

# Install the application
try {
    Write-Output "Installing $AppID..." | Out-File -FilePath $LogPath -Append
    $InstallResult = winget install --id $AppID --scope machine --silent --accept-package-agreements --accept-source-agreements
    
    if ($LASTEXITCODE -eq 0) {
        Write-Output "Installation successful" | Out-File -FilePath $LogPath -Append
        exit 0
    } else {
        Write-Output "Installation failed with exit code: $LASTEXITCODE" | Out-File -FilePath $LogPath -Append
        exit $LASTEXITCODE
    }
} catch {
    Write-Error "Installation failed: $_"
    Write-Output "Installation error: $_" | Out-File -FilePath $LogPath -Append
    exit 1
}

Create a corresponding detection script Detect-NotepadPlusPlus.ps1:

# Detection script for Notepad++
$AppID = "Notepad++.Notepad++"

try {
    $InstalledApps = winget list --id $AppID 2>$null
    if ($InstalledApps -match $AppID) {
        Write-Output "Application found"
        exit 0
    } else {
        exit 1
    }
} catch {
    exit 1
}
Pro tip: Always include comprehensive logging in your scripts. This makes troubleshooting deployment issues much easier when reviewing Intune logs.

Verification: Test your scripts locally on a test device before packaging them for Intune deployment.

05

Package and Deploy PowerShell Scripts as Win32 Apps

Convert your PowerShell scripts into Win32 app packages that can be deployed through Intune's application management system.

Download the Microsoft Win32 Content Prep Tool from the official Microsoft repository. Create a source folder structure:

C:\WingetApps\NotepadPlusPlus\
├── Install-NotepadPlusPlus.ps1
├── Detect-NotepadPlusPlus.ps1
└── install.cmd

Create an install.cmd wrapper file:

@echo off
powershell.exe -ExecutionPolicy Bypass -File "%~dp0Install-NotepadPlusPlus.ps1"
exit %ERRORLEVEL%

Use the IntuneWinAppUtil.exe to create the package:

IntuneWinAppUtil.exe -c "C:\WingetApps\NotepadPlusPlus" -s "install.cmd" -o "C:\WingetApps\Output"

In Intune admin center, go to Apps > All apps > Add > Windows app (Win32). Upload the generated .intunewin file and configure:

  • Install command: install.cmd
  • Uninstall command: winget uninstall --id Notepad++.Notepad++ --scope machine --silent
  • Install behavior: System
  • Device restart behavior: No specific action

Configure detection rules using Custom script and upload your Detect-NotepadPlusPlus.ps1 file.

Set requirements:

  • Operating system architecture: x64
  • Minimum operating system: Windows 10 1709
  • PowerShell script: Not required (we use cmd wrapper)
Warning: Always test Win32 app deployments on a small group first. Failed deployments can be difficult to troubleshoot without proper logging.

Verification: Monitor the deployment in Device install status and check the Intune Management Extension logs on target devices at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.

06

Configure Automatic Updates and Maintenance

Set up automated update policies and maintenance schedules to keep your winget-deployed applications current across your organization.

Navigate to Device configuration > Profiles > Create profile > Settings catalog. Search for "Windows Package Manager" policies and configure:

{
  "WindowsPackageManager": {
    "EnableAutoUpdateCheck": true,
    "AutoUpdateCheckFrequency": "Daily",
    "AllowExperimentalFeatures": false,
    "EnableLocalManifests": false,
    "EnableMSStoreSource": true,
    "EnableDefaultSource": true,
    "EnableAdditionalSources": false
  }
}

Create a PowerShell script for scheduled updates Update-WingetApps.ps1:

# Automated winget update script
$LogPath = "C:\Windows\Temp\WingetUpdates.log"
$UpdateList = @(
    "Google.Chrome",
    "Notepad++.Notepad++",
    "Microsoft.VisualStudioCode"
)

Write-Output "Starting winget update process - $(Get-Date)" | Out-File -FilePath $LogPath -Append

# Update winget sources
winget source update

# Check for and install updates
foreach ($App in $UpdateList) {
    try {
        Write-Output "Checking updates for $App" | Out-File -FilePath $LogPath -Append
        $UpdateResult = winget upgrade --id $App --scope machine --silent --accept-package-agreements
        
        if ($LASTEXITCODE -eq 0) {
            Write-Output "$App updated successfully" | Out-File -FilePath $LogPath -Append
        } elseif ($LASTEXITCODE -eq -1978335189) {
            Write-Output "$App is already up to date" | Out-File -FilePath $LogPath -Append
        } else {
            Write-Output "$App update failed with code: $LASTEXITCODE" | Out-File -FilePath $LogPath -Append
        }
    } catch {
        Write-Output "Error updating $App: $_" | Out-File -FilePath $LogPath -Append
    }
}

Write-Output "Update process completed - $(Get-Date)" | Out-File -FilePath $LogPath -Append

Deploy this as a Proactive Remediation or scheduled PowerShell script to run weekly. Go to Devices > Scripts > Add > Windows 10 and later:

  • Run this script using the logged on credentials: No
  • Enforce script signature check: No
  • Run script in 64-bit PowerShell: Yes

Verification: Check the update logs on target devices and monitor application versions through Intune reporting.

07

Monitor Deployments and Troubleshoot Issues

Implement comprehensive monitoring and troubleshooting procedures to ensure successful winget deployments across your organization.

In Intune admin center, navigate to Apps > Monitor to access deployment analytics:

  • App install status: Shows success/failure rates per application
  • Device install status: Per-device deployment results
  • User install status: User-specific installation data

Create a PowerShell monitoring script Monitor-WingetDeployments.ps1:

# Winget deployment monitoring script
$LogPath = "C:\Windows\Temp\WingetMonitoring.log"
$ReportPath = "C:\Windows\Temp\WingetReport.json"

# Get winget version and status
$WingetInfo = @{
    Version = (winget --version 2>$null)
    Sources = (winget source list 2>$null)
    InstalledApps = @()
    LastCheck = (Get-Date).ToString()
}

# Get list of winget-installed applications
try {
    $InstalledList = winget list --source winget 2>$null
    if ($InstalledList) {
        $WingetInfo.InstalledApps = $InstalledList -split "`n" | Where-Object { $_ -match "\w+" } | Select-Object -Skip 2
    }
} catch {
    Write-Output "Error getting installed apps: $_" | Out-File -FilePath $LogPath -Append
}

# Check Intune Management Extension service
$IMEService = Get-Service -Name "Microsoft Intune Management Extension" -ErrorAction SilentlyContinue
$WingetInfo.IMEStatus = if ($IMEService) { $IMEService.Status } else { "Not Found" }

# Export report
$WingetInfo | ConvertTo-Json -Depth 3 | Out-File -FilePath $ReportPath -Encoding UTF8

Write-Output "Monitoring report generated: $ReportPath" | Out-File -FilePath $LogPath -Append

Common troubleshooting steps for failed deployments:

  1. Check winget availability:
    winget --version
Get-AppxPackage -Name "Microsoft.DesktopAppInstaller"
  2. Verify network connectivity:
    Test-NetConnection -ComputerName "cdn.winget.microsoft.com" -Port 443
winget source list
  3. Check Intune Management Extension logs:
    Get-ChildItem "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs" | Sort-Object LastWriteTime -Descending | Select-Object -First 5
Pro tip: Enable verbose logging in your deployment scripts and use Intune's built-in log collection feature to gather diagnostic information from failed deployments.

Verification: Run the monitoring script on test devices and review the generated JSON reports to ensure all components are functioning correctly.

Frequently Asked Questions

What are the network requirements for winget deployments through Microsoft Intune?+
Devices must have access to https://cdn.winget.microsoft.com/cache for the official winget repository, Microsoft Store endpoints for App Installer downloads, and standard Intune management endpoints. Ensure your firewall allows HTTPS traffic to these Microsoft CDN endpoints. No specific port requirements beyond standard HTTPS (443) are needed, but some organizations may need to whitelist the winget CDN domain in their proxy configurations.
Can I deploy custom or line-of-business applications using winget with Intune?+
While winget primarily focuses on publicly available applications from its official repository, you can create custom PowerShell scripts that use winget for public dependencies and traditional Win32 deployment methods for your line-of-business apps. Alternatively, you can create private winget repositories, though this requires additional infrastructure setup. Most organizations use a hybrid approach: winget for standard software and traditional Intune Win32 apps for custom applications.
How do automatic updates work with winget-deployed applications in Intune?+
Automatic updates can be configured through Intune device configuration policies using the Settings Catalog for Windows Package Manager policies. You can enable automatic update checks, set frequency (daily/weekly), and control which sources are allowed for updates. Additionally, you can deploy PowerShell scripts as Proactive Remediations or scheduled tasks to run winget upgrade commands for specific applications, providing granular control over the update process while maintaining centralized management.
What happens if winget is not installed on target devices before app deployment?+
App deployments will fail if winget is not available on the target device. You must first deploy Microsoft App Installer (package ID: 9NBLGGH4NNS1) through Intune as a required Microsoft Store app to all devices. This ensures winget is available before any winget-based application deployments are attempted. You can also use dependency relationships in Intune to ensure App Installer is installed before other winget-dependent applications are deployed.
How can I troubleshoot failed winget deployments in Microsoft Intune?+
Start by checking the Intune Management Extension logs at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs on the target device. Verify winget is installed and functional using 'winget --version' and 'winget source list' commands. Check network connectivity to the winget CDN and ensure the device can reach Microsoft's package repository. Use Intune's built-in log collection feature to gather diagnostic information, and implement verbose logging in your deployment scripts to capture detailed error information for analysis.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#intune#winget#deployment

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Set PowerShell Execution Policy Using Intune and Group Policy
tutorial
DevOps

How to Set PowerShell Execution Policy Using Intune and Group Policy

Deep Dive
How to Deploy Bitwarden Password Manager Using Microsoft Intune
tutorial
Cybersecurity

How to Deploy Bitwarden Password Manager Using Microsoft Intune

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account